Communicating with individuals and processing personal data are an essential part of campaigning and advocacy – from policy or issue-based campaigns to engaging more directly with elections – particularly in the run up to an election. But it is important to ensure that this done in a lawful, proportionate and transparent way.

What are the rules?

Broadly, there are two key regimes that organisations need to consider when handling personal data as part of their political campaigning:

  1. UK GDPR and Data Protection Act 2018 – these set out the rules in relation to the handling of individuals' personal data generally (including the rights that individuals have in relation to their data).
  2. Privacy and Electronic Communications Regulations ("PECR") – these set out the rules in relation to 'direct marketing', i.e. what organisations need to do in order to lawfully contact people with marketing or campaign material.

In part one, we set out the key points in relation to PECR. This note focusses on the more general UK GDPR and Data Protection Act 2018 requirements that you should bear in mind.

Key data protection principles

Campaigning will almost always involve processing personal data, and the UK GDPR sets out a number of data protection principles that organisations must comply with as part of that processing:

1. Lawfulness – An organisation must establish a 'lawful basis' (i.e. a reason under the law) for collecting and using personal data. The most relevant lawful bases in the context of political campaigning are likely to include:

  • Legitimate interests – this is the most flexible lawful basis, and allows organisations to process personal data where necessary for the organisation's legitimate interests (including commercial interests), provided that those interests are not overridden by the rights and freedoms of individuals. Relying on this lawful basis therefore requires a balancing exercise, also known as a 'legitimate interests assessment'.
  • Consent – an organisation can process personal data where it has the consent of the relevant individual(s) to do so. This will be particularly relevant when conducting direct marketing, where consent is required (see our factsheet on marketing requirements here).
  • Public task – In some cases, organisations may be able to rely on the lawful basis that processing of personal data is necessary for the performance of a public task in the public interest. This lawful basis is likely to cover the use of personal data from the electoral register (since the use of this data for specific purposes is set out in electoral law), and may also be applicable to some campaigners (e.g. MPs and other elected officials) who need to process additional data from other sources.

Note that specific rules apply to special category data, which is particularly sensitive data that is subject to greater protections under data protection law, and which includes personal data revealing political opinions. When processing this data, organisations must establish a lawful basis and satisfy another condition for carrying out the processing – this condition may often be consent, but the most appropriate condition will depend on the circumstances.

Key point: Before you start processing, the first step is to understand what data you will be collecting and why, and what your lawful basis is.

2. Fairness – An organisation must process personal data in a way that is fair.

Key point: When considering whether your processing is fair, it's worth asking yourself:

  • Are we intending to process personal data in a way that the relevant individuals would not reasonably expect?
  • Is our proposed processing of personal data intrusive in any way, or might it be carried out without individuals' knowledge? For example, are we scraping data from social media and other platforms to understand who we can target as potential supporters?

If the answer is 'yes' to any of these questions, your processing may not be fair, and further analysis will likely be required. This is not to say that your processing is automatically not possible, but you will need to consider individuals' rights.

3. Transparency – An organisation must provide certain information to individuals about how and why it is using individuals' personal data, together with details of the relevant lawful basis and individuals' rights under the law. As noted above, a key part of 'fairness' is understanding what individuals would reasonably expect, so it's important that you tell them what you intend to do with their data.

Key point: In the context of political campaigning, data can be collected in a number of different ways and contexts, including face to face canvassing, petitions, surveys (whether online or paper-based), telephone marketing and canvassing. Irrespective of the campaigning method, it's important that you consider the best way to provide accurate and up-to-date transparency information to individuals in a way that is sufficiently detailed (and compliant) but also practical and achievable.

If you collect data from individuals directly, you need to provide this transparency information at the time you collect their data; if you collect data about an individual from a third party, you need to provide the information to individuals within a month of obtaining their data.

4. Purpose limitation – An organisation must only collect personal data for specified purposes and must not use that data for any further, incompatible purposes. For example, if you're collecting personal data to send people campaign information, you can only use that same data for another purpose (e.g. to conduct analytics on your supporters) if you establish another lawful basis and make sure that people are informed about the new purpose (as part of the transparency information described above).

5. Data minimisation – An organisation must only collect personal data to the extent necessary for its purposes.

6. Accuracy – An organisation must ensure that personal data is kept accurate and up to date.

Key point: It would be sensible to encourage people that you engage with to let you know if their details change.

7. Storage and limitation – An organisation must only retain personal data for as long as necessary in light of the purposes for which it was collected.

Key point: Consider your data retention policies. How often is the data you hold deleted – do you need to hold it for as long as you do, and if so, why? Do you have a Data Retention Policy?

8. Security – An organisation must ensure that personal data is kept secure, including by implementing appropriate technical and organisational security measures. It's worth, as a basic starting point, considering who actually needs to see data within your organisation, and making sure that only those people have that access.

9. Accountability – An organisation must be able to show how it is complying with its obligations under data protection law, including by:

  • Carrying out legitimate interests assessments (when relying on legitimate interests) and/or data protection impact assessments (for example when carrying out profiling or other intrusive types of data processing);
  • Having data protection policies and processes in place (including e.g. overarching data protection policies, data retention policies, data breach handling policies and individual rights requests policies);
  • Entering into written agreements with third parties that the organisation shares personal data with and conducting appropriate due diligence on those third parties prior to sharing. Are you engaging any third parties to collect or analyse personal data on your behalf? It's essential that you review the terms with these service provides to ensure that they only process personal data in accordance with your instructions (and the law);
  • Training staff and volunteers on data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.